b'   U.S. DEPARTMENT OF THE INTERIOR\n             OFFICE OF INSPECTOR GENERAL\n                                      AUDIT REPORT\n\n\n                      IMPROVEMENTS NEEDED IN\n                  MANAGING INFORMATION TECHNOLOGY\n                          SYSTEM SECURITY\n                       NATIONAL PARK SERVICE\n\n\n\n\nGraphic Courtesy of the U.S. Department of the Interior Office of the Chief Information Officer\n\n\n\n\nREPORT NO. A-IN-NPS-0074-2003                                                               MARCH 2004\n\x0c                  United States Department of the Interior\n                              Office of Inspector General\n                               National Information Systems Office\n                                 134 Union Boulevard, Suite 510\n                                   Lakewood, Colorado 80228\n\n                                                                      March 29, 2004\n\n\nTo:      Director, National Park Service\n\nFrom:    Diann Sandy\n         Manager, National Information Systems Office\n\nSubject: Final Report, Improvements Needed in Managing Information Technology System\n         Security, National Park Service (No. A-IN-NPS-0074-2003)\n\n       The subject report presents the results of our audit of security over National Park\nService\xe2\x80\x99s (NPS) information technology (IT) systems. The purpose of the audit was to\ndetermine whether controls effectively safeguarded the systems\xe2\x80\x99 integrity, confidentiality,\nand availability. Although NPS has recently improved the security of its IT systems, much\nremains to be accomplished before an effective IT security management program is\nimplemented.\n\n       In the February 6, 2004 response to the draft report, the Director of NPS concurred\nwith the report\xe2\x80\x99s 18 recommendations. Based on the actions described in the response and\nsubsequent information provided by the Chief Information Officer for NPS, we classified 2\nrecommendations as resolved, 2 recommendations as resolved but not implemented, 10\nrecommendations as management concurs but additional information needed, and 4\nrecommendations as unresolved. The status of all the recommendations and the additional\ninformation requested is presented in Appendix 4.\n\n        The legislation, as amended, creating the Office of Inspector General requires that we\nreport to the Congress semiannually on all audit reports issued, actions taken to implement\nour audit recommendations, and recommendations that have not been implemented.\n\n        Please provide a written response to this report by May 14, 2004. The response\nshould supply the information requested in Appendix 4. We appreciate the cooperation\nprovided by NPS staff during our audit. If you have any questions regarding this report,\nplease call me at (303) 236-9243.\n\x0cThis Page Intentionally Left Blank\n\x0cEXECUTIVE SUMMARY\n\nBACKGROUND AND     To support its mission, the National Park Service (NPS)\n                   implemented local area networks in most of its approximate\nOBJECTIVE          400 offices, program centers, regions and support offices,\n                   and park units throughout the United States and its\n                   territories. These local area networks connect to 13 regional\n                   networks and one NPS-wide network. During our review,\n                   NPS reported to the Department of the Interior that NPS\xe2\x80\x99\n                   major IT systems comprised 14 general support systems\n                   (networks) and 6 major applications. NPS established a\n                   senior executive service level chief information officer (CIO)\n                   position to provide standardized IT system security policy\n                   and management and to head the Office of the Chief\n                   Information Officer (OCIO). This office contains\n                   approximately 75 federal and contractor employees whose\n                   responsibilities included management of IT security and\n                   operation of three primary data centers located in\n                   Washington, D.C., and Denver, CO. NPS had also\n                   established information officers and IT security managers in\n                   program centers and regional offices to promote information\n                   and IT system security.\n\n                   The objective of the audit was to evaluate the effectiveness\n                   of the management and controls over NPS\xe2\x80\x99 IT resources for\n                   ensuring integrity, confidentiality, and availability of\n                   information and IT systems. During our audit, we visited\n                   NPS locations as identified in Appendix 1.\n\nRESULTS IN BRIEF   Despite recent organizational changes, we concluded that\n                   NPS lacked the basic foundation for an effective IT security\n                   program to ensure that issued IT security directives were\n                   consistently practiced. Specifically, NPS had not made sure\n                   that:\n\n                       \xc2\xbe Personnel were empowered to fulfill their assigned\n                         IT responsibilities or were effectively evaluated; IT\n                         duties were separated; IT security duties and\n                         responsibilities were included in position\n                         descriptions; risks of performing IT functions were\n                         mitigated through appropriate assignment of position\n                         sensitivity levels and subsequent background\n                         clearances; and IT personnel were adequately trained\n                         to fulfill their duties and responsibilities.\n\n\n                                  i\n\x0c                      \xc2\xbe Information and IT system risks were effectively\n                        managed by: conducting asset valuations to properly\n                        categorize systems as mission critical, conducting\n                        adequate assessments of risks, and developing\n                        system security plans and Plans of Actions and\n                        Milestones.\n\n                      \xc2\xbe Technical and physical access controls were\n                        effectively managed and safeguarded personnel and\n                        IT resources.\n\n                      \xc2\xbe Changes to operating systems and applications were\n                        authorized, tested, and approved.\n\n                      \xc2\xbe IT services could be continued in the event of a\n                        system failure or disaster.\n\n                      \xc2\xbe IT security controls were integrated throughout NPS\n                        including incident response capability and a\n                        standardized network security infrastructure.\n\n                  As a result, NPS information and IT systems are vulnerable\n                  to unauthorized access, misuse, and disruption of service and\n                  its IT resources are at risk of being unreliable.\n\nRECOMMENDATIONS   We made 18 recommendations to improve the NPS\n                  information security program.\n\nAGENCY RESPONSE   In the February 6, 2004 response to the draft report, the NPS\n                  Director concurred with the 18 recommendations. Based on\nAND OFFICE OF     the response and subsequent information provided, we\nINSPECTOR         considered 2 recommendations resolved and implemented,\nGENERAL REPLY     and classified 2 as resolved but not implemented, 10 as\n                  management concurs with additional information required,\n                  and 4 as unresolved. We requested that NPS provide us\n                  additional information on the unresolved recommendations.\n\n\n\n\n                                 ii\n\x0c                                    TABLE OF CONTENTS\n\nRESULTS OF AUDIT ..................................................................................................1\n\nRECOMMENDATIONS FOR IMPROVING NPS\xe2\x80\x99 INFORMATION\nSECURITY MANAGEMENT PROGRAM .........................................................15\n\nAGENCY RESPONSE AND OFFICE OF INSPECTOR\nGENERAL REPLY .....................................................................................................21\n\nAUDIT OBJECTIVE, SCOPE, AND METHODOLOGY ...............................23\n\nAPPENDICES\n    1. SITES VISITED AND SYSTEMS REVIEWED ................................................................25\n    2. SUGGESTED MATRIX OF POSITION SENSITIVITY DESIGNATIONS\n       FOR A GENERAL SUPPORT SYSTEM .........................................................................27\n    3. AGENCY RESPONSE TO DRAFT AUDIT REPORT .......................................................29\n    4. STATUS OF AUDIT REPORT RECOMMENDATIONS ....................................................33\n\n\n\n\n                                                           iii\n\x0cThis Page Intentionally Left Blank\n\n\n\n\n                iv\n\x0cRESULTS OF AUDIT\n\nNPS\xe2\x80\x99 organization            Until the National Park Service (NPS) implements a sound and\ndoes not support             consistently practiced information security program, it will have\n                             little assurance that its information technology (IT) systems provide\nan effective\n                             reliable, confidential, and available information. An effective\ninformation                  information security program should provide for assigning\nsecurity                     responsibilities, establishing and enforcing security policies and\nmanagement                   procedures, managing risk, and monitoring the adequacy of IT\nprogram.                     security controls. NPS has not, however, established the basic\n                             framework for a good program. As a first step, NPS needs to make\n                             IT security an overall top priority and ensure that all levels of\n                             management understand their roles and responsibilities and are held\n                             accountable for safeguarding information and IT systems. The\n                             discussions that follow highlight areas where we believe\n                             improvements are needed for NPS to have effective information\n                             security management program.\n\nCIO lacked authority         The NPS chief information officer (CIO) does not have the authority\nto be fully effective.       to manage all NPS information resources. Although the CIO\n                             position reports to a NPS Deputy Director, the CIO position has not\n                             been empowered to fulfill the responsibilities of a chief information\n                             officer. For example, the CIO is not an active member of the NPS\n                             National Leadership Council, as required by the Secretary of the\n                             Interior.1 As such, the CIO was not able to effectively aid senior\n                             management in identifying IT security requirements and in\n                             developing sound IT security strategies. We also found that\n                             although the CIO may develop IT security policies, procedures,\n                             standards, and guidelines, the CIO lacked the authority to issue and\n                             to enforce compliance with these IT security directives by office,\n                             program center, region, and park unit management. Figure 1\n                             presents our understanding of NPS\xe2\x80\x99 IT management structure and\n                             shows that the CIO does not have authority over office, program\n                             center, region, and park unit IT staffs.\n\n\n\n\n1\n  The NPS National Leadership Council is the NPS\xe2\x80\x99 executive-level decision-making team. Secretarial Order,\n3244, requires each bureau to have its CIO be a fully participating member of each bureau\xe2\x80\x99s executive\nleadership/management team.\n\n                                                     1\n\x0c      Figure 1. Office of Inspector General\xe2\x80\x99s representation of NPS\xe2\x80\x99 IT management structure.\n\nRegional IT security      Regional IT Security Managers (RITSM) were not delegated\nmanagers lacked           sufficient authority to exercise their responsibilities and were not at\nauthority to be           organizational levels commensurate with their IT security\neffective.                responsibilities. (See Figure 1 above.) In the two regions we visited,\n                          one RITSM was organizationally three levels below the regional\n                          director and the other RITSM was one level below the regional\n                          director. Also, one of the RITSMs stated he/she did not have the\n                          authority to enforce information security policies and procedures at\n                          the park units. We believe that the regional IT security function\n                          should be part of the regional directorate to be at an organizational\n                          level to exercise their responsibilities and authority.\n\n\n                                                2\n\x0cAdequate separation    NPS did not assign IT duties and responsibilities to provide for\nof IT duties was not   adequate separation of duties to prevent overriding critical processes\nimplemented            by a single individual. For example:\nthroughout NPS.\n                          \xc2\xbe The Bureau IT Security Manager (BITSM) was responsible\n                            for overall NPS information security and was also designated\n                            the system security manager for the NPS primary wide area\n                            network, NPSNet. Therefore, the BITSM was responsible\n                            for reviewing his own activities. Additionally, the BITSM\n                            was performing as both the BITSM and as the OCIO Project\n                            Manager.\n\n                          \xc2\xbe RITSMs were responsible for IT security and performed\n                            daily regional IT operations. Therefore, they could not\n                            independently perform their security responsibilities.\n\n                          \xc2\xbe Individuals responsible for system security management\n                            were also responsible for administering systems and\n                            networks. For example, at the Network Management Office,\n                            Intermountain Region support office, Natural Resources\n                            Program Center, Rocky Mountain National Park, Point\n                            Reyes National Seashore, and Bandelier National\n                            Monument, system administrators were also performing IT\n                            security functions.\n\n                          \xc2\xbe At three data centers, application programmers had access to\n                            the data centers, which may provide programmers the\n                            opportunity to modify or change production data, operating\n                            system configuration, and database management systems.\n                            Generally accepted information security practices\n                            recommend that application programmers should not have\n                            access to production data, operating systems, and database\n                            management systems because of the risk that inappropriate\n                            or malicious code could be installed and result in a\n                            compromise of the information and IT systems.\n\n                       We realize that separation of duties may not be feasible at each park\n                       unit, but controls could be implemented such that regional IT staff\n                       help support the park units by performing some of the park unit\xe2\x80\x99s\n                       security functions, such as reviewing system generated logs. At\n                       locations where adequate separation of duties cannot be achieved,\n                       NPS should ensure that risk assessments identify the lack of\n                       adequate separation of duties so that management understands this\n                       risk and can make a cost-effective decision to either mitigate or\n                       accept the risk.\n\n\n\n\n                                            3\n\x0cPosition descriptions         Position descriptions for personnel with significant information\nand performance               security responsibilities, such as system owners, system and network\nstandards did not             administrators, and RITSMs, did not specify IT security\naddress IT security.          responsibilities and duties. In addition, the CIO\xe2\x80\x99s performance\n                              standards did not include information security as a rating factor.\n                              Consequently, NPS management and personnel that should be\n                              responsible for ensuring IT resources are adequately safeguarded\n                              could not be evaluated based on how they performed their security\n                              responsibilities.\n\nLevel of risk                 NPS had not established an overall sensitivity level for IT positions\nassociated with IT            in relation to the duties to be performed. The Departmental Manual\npositions was not             (441 DM 3) requires that positions be reviewed to determine the risk\nestablished.                  of an individual performing the duties of the position and for\n                              assigning the appropriate sensitivity level for those positions.\n                              Specifically, NPS had not designated the appropriate sensitivity\n                              level of public trust2 IT positions, such as system security manager,\n                              system administrator, and telecommunications specialist,\n                              commensurate with the risks associated with the duties. For\n                              example:\n\n                                  \xc2\xbe Position sensitivity designations were different for personnel\n                                    performing the same IT duties. One RITSM was designated\n                                    a sensitivity level of \xe2\x80\x9cnon-sensitive\xe2\x80\x9d (low risk), while the\n                                    other was designated a sensitivity level of \xe2\x80\x9cnoncritical-\n                                    sensitive\xe2\x80\x9d (moderate risk). This resulted in NPS\n                                    management accepting different levels of risk for positions\n                                    with similar duties and functions. In addition, different types\n                                    of background investigations would be required.\n\n                                  \xc2\xbe IT positions and functions being performed by contractors\n                                    were not assigned sensitivity levels. For instance, we\n                                    reviewed three contracts that provided for contractor\n                                    personnel to perform IT functions at NPS\xe2\x80\x99 data centers. We\n                                    found that the contracts had no requirement for designating\n                                    sensitivity of the contractor positions, such as application\n                                    programmer, network administration, and tele-\n                                    communications support, or for background investigations\n                                    and resultant security clearances. One of these contracts\n                                    required contract employees to be fingerprinted and for\n                                    background checks to be performed. However, NPS was not\n                                    able to substantiate that background investigations were\n                                    completed and that the appropriate security clearances were\n                                    obtained.\n\n2\n According to the Departmental Manual (441 DM 3), public trust positions are those that are not related to\nnational security duties.\n\n                                                       4\n\x0c                             \xc2\xbe Management at one region stated that background\n                               reinvestigations had not been performed of its employees.\n\n                         To determine position sensitivity, NPS could develop a matrix of all\n                         positions related to IT responsibilities and identify the associated\n                         risks to information and IT systems and the sensitivity level of those\n                         positions. Appendix 2 presents an example of this matrix concept.\n\nIT training required to During our site visits throughout NPS, we observed that overall the\nsafeguard IT resources IT staffs at these sites were resourceful and effective in providing IT\nwas not mandated.       services and customer support. However, while NPS provided basic\n                        computer security awareness training and other IT-related training, it\n                        did not ensure that IT specialists in regions and park units were\n                        encouraged or required to receive training specific to information\n                        security and IT security management. For example, an IT specialist\n                        at a park unit had to determine on his/her own how to implement a\n                        new system. In addition, at most locations we visited, personnel had\n                        not been provided training specific to their duties and fulfilling their\n                        responsibilities in managing and operating NPS networks and\n                        servers. For instance, one IT specialist did not receive training on\n                        implementing a planned new NPS operating system. In that regard,\n                        NPS had not developed an IT career management program that\n                        included training requirements for all levels of IT positions. Without\n                        a structured training program for employees with IT responsibilities,\n                        NPS lacks assurance that networks, systems, and data were\n                        adequately safeguarded.\n\nIT systems were not      NPS did not properly categorize its general support systems and\nproperly categorized.    applications as mission critical. The Department of the Interior\xe2\x80\x99s\n                         \xe2\x80\x9cAsset Valuation Guide\xe2\x80\x9d requires bureaus to categorize an IT\n                         system that processes, stores, or transports (1) Privacy Act or\n                         proprietary information as Mission Critical and (2) financial-related\n                         information as Financial Systems, which is above mission critical.\n                         The guideline also states that IT systems that are critical to the\n                         support of the Department\xe2\x80\x99s core missions and goals and not\n                         assigned a higher category are to be categorized as mission critical.\n                         Almost all NPS networks transport these types of information;\n                         however, NPS categorized its networks at a lower level\xe2\x80\x94business\n                         essential. Further, NPS\xe2\x80\x99 Facilities Maintenance Support System, a\n                         major application, was categorized as business essential, even\n                         though the information in this system was used and maintained to\n                         support a DOI mission goal. Without performing asset valuations to\n                         properly categorize its systems, NPS has little assurance that all\n                         system resources have appropriate levels of protection.\n\nIT risk assessments      NPS had not performed risk assessments for 17 of its 20 general\nwere not performed.      support systems and major applications. NPS reported to the\n                         Department that risk assessments had been performed for the 3\n\n                                               5\n\x0c                              remaining systems\xe2\x80\x94a general support system (NPSNet) and 2\n                              major applications (Lotus Notes/Domino and ParkNet). However,\n                              we reviewed two of these risk assessments (NPSNet and Lotus\n                              Notes/Domino) and found that the assessments were incomplete, as\n                              follows:\n\n                                  \xc2\xbe The NPSNet risk assessment was an initial assessment,\n                                    which is less detailed and less extensive than a full risk\n                                    assessment.\n\n                                  \xc2\xbe The Lotus Notes/Domino risk assessment focused only on\n                                    three major data centers, which would not likely represent\n                                    the NPS-wide risk environment. Also, the assessment did\n                                    not identify and assess all possible risks such as those\n                                    introduced by the supporting general support systems.\n                                    Further, the assessment was based on the loss of operations\n                                    only, and did not consider the value of the data maintained in\n                                    the major application.\n\n                                  \xc2\xbe Neither of the risk assessments included:\n\n                                        o Input from all data owners, such as program center\n                                          managers, regional directors, or park unit\n                                          superintendents, in the determination of the risks.\n\n                                        o Evidence that management agreed to mitigate the\n                                          identified risks or to accept the residual risks.\n\n                              Therefore, the level of risk may not be at an acceptable level to\n                              ensure that all information processed, stored, and transported was\n                              adequately safeguarded and that residual risk was understood and\n                              accepted by management.\n\nSystem security plans         NPS began drafting system security plans for local area and wide\nwere not adequate.            area networks, such as NPSNet, Intermountain Region,3 Pacific\n                              West Region, and Natural Resources Program Center networks.\n                              This is good; however, the requirement for system security plans\n                              was established in 1987.4 The purpose of a system security plan is\n                              to provide an overview of the security requirements of the system\n                              and describe the controls in place or planned for meeting those\n                              requirements. System security plans should include the elements\n                              identified in the National Institute of Standards and Technology\n\n3\n  Intermountain Regionwide area network security plan included appendices for 67 of the park units within the\nregion.\n4\n Computer Security Act of 1987 required that for each system a plan for the security and privacy of each\nFederal computer system be developed one year after the enactment of the Act.\n\n                                                      6\n\x0c                       Special Publication 800-18 \xe2\x80\x9cGuide for Developing Security Plans\n                       for Information Technology Systems,\xe2\x80\x9d and DOI policies. However,\n                       the NPS security plans did not always include the following required\n                       features:\n\n                           \xc2\xbe Appropriate assignment of responsibilities.\n\n                          \xc2\xbe Appropriate classification of data sensitivity and criticality\n                            that was processed, stored, and transported.\n\n                          \xc2\xbe Descriptions of components of general support systems and\n                            the applications they support.\n\n                          \xc2\xbe Identification of general support systems that support the\n                            major applications.\n\n                          \xc2\xbe Identification of all of the interconnection points (including\n                            Internet service providers and dial-in access) and agreements\n                            for connecting to other NPS internal and external networks.\n\n                          \xc2\xbe Physical and environmental controls.\n\n                          \xc2\xbe All milestone dates for implementing planned controls.\n\n                       In a related matter, the CIO was in the process of consolidating\n                       individual park unit local area networks and regional wide area\n                       networks for the purpose of performing only one certification and\n                       accreditation. Office of Management and Budget (OMB) Circular\n                       A-130, Appendix III, \xe2\x80\x9cSecurity of Federal Automated Information\n                       Resources\xe2\x80\x9d stipulates that any interconnected system, such as a local\n                       area network, under the same direct management control is\n                       considered a general support system requiring a system security\n                       plan. Local area networks at the park units and the regions are\n                       under the management control of the park superintendents and the\n                       regional directors, respectively. Therefore, we believe that unless\n                       the consolidated system is under the direct management control of\n                       the CIO, each network will require a separate security plan that\n                       should be included as part of the one general support system security\n                       plan.\n\nPlans of Actions and   OMB requires that agencies develop Plans of Actions and\nMilestones were not    Milestones (POA&M) for every program and system for which\nadequate.              weaknesses are identified through internal and external reviews.\n                       The POA&M process is to aid management in identifying,\n                       prioritizing, and monitoring the progress towards correcting the\n                       security weaknesses. Although NPS\xe2\x80\x99 POA&Ms have improved,\n                       they were not adequate for the following reasons:\n\n\n                                           7\n\x0c                            \xc2\xbe All of the weaknesses identified by the Office of Inspector\n                              General (OIG), NPS internal control reviews, and DOI\n                              program reviews were not included. For example, all\n                              financial statement findings related to IT that had been\n                              reported by the OIG for fiscal years 2001 and 2002 were not\n                              included in the POA&M.\n\n                            \xc2\xbe There was no prioritization or strategy for correcting the\n                              weaknesses. For example, a security plan was to be\n                              developed for a general support system by July 1, 2003,\n                              whereas prerequisite reviews and documents, such as an\n                              asset valuation, a technical vulnerability assessment, and a\n                              management control review, were not planned to be\n                              completed until October 1, 2004.\n\n                            \xc2\xbe Dates reported for corrective actions were not consistent\n                              with the supporting documentation. For example, in the June\n                              2003 POA&M submitted to the Department, NPS reported\n                              that the system security plan for NPSNet was completed in\n                              December 2002; however, only a draft system security plan\n                              dated June 2003 had been done.\n\n                            \xc2\xbe All of the weaknesses in systems\xe2\x80\x99 components were not\n                              identified by NPS and therefore were not included in the\n                              POA&M. For example, NPS did not recognize that storing\n                              backup media at employees\xe2\x80\x99 homes was a security weakness.\n\n                            \xc2\xbe Incremental steps needed to mitigate identified weaknesses\n                              were not reported. For example, in the June 2003 POA&M,\n                              NPS identified a weakness related to Internet connections.\n                              The planned corrective action involved two options and one\n                              milestone completion date of December 30, 2004. However,\n                              the POA&M did not include steps and completion dates for\n                              determining which option to select and the incremental steps\n                              for implementing the selected option. Consequently, NPS\n                              reported the status of this particular item action as \xe2\x80\x9congoing\xe2\x80\x9d\n                              and did not indicate the progress in correcting the weakness.\n\n                        During the course of our audit, NPS began to identify the resources\n                        needed to correct the reported IT weaknesses. However, these\n                        resource costs had not been integrated with the NPS IT capital\n                        planning and control process.\n\nSystem users\xe2\x80\x99 accounts Because system users\xe2\x80\x99 accounts were managed by each NPS\nwere mismanaged        organizational unit (offices, program centers, regions, and park\nthroughout NPS.        units) and inconsistent methodologies were practiced in managing\n                       system user accounts, NPS had little assurance that users\xe2\x80\x99 access\n\n\n                                             8\n\x0c                          levels were based on the users\xe2\x80\x99 day-to-day activities or that the user\n                          accounts were authorized. For example:\n\n                             \xc2\xbe User accounts were not always disabled or deleted when\n                               individuals left NPS or changed positions within NPS.\n\n                             \xc2\xbe Users were issued multiple system user identifications,\n                               which may allow them to circumvent system access controls\n                               and bypass separation of duties.\n\n                             \xc2\xbe Users at one park unit were automatically provided dial-in\n                               access when their user accounts were established by the park\n                               unit\xe2\x80\x99s IT staff even though we found no evidence that the\n                               users were authorized this type of access.\n\n                             \xc2\xbe There appeared to be no periodic review of user accounts by\n                               system owners or supervisors to ensure that the level of\n                               access granted was appropriate for each system user.\n\nPassword                  NPS had not consistently applied standard password procedures and\nmanagement was            practices for its servers to ensure adequate password management.\ninconsistent.             For example, at one location the setting for lockout duration was\n                          \xe2\x80\x9cForever\xe2\x80\x9d and at another location the setting was for 90 minutes. If\n                          the setting for \xe2\x80\x9cpassword lockout duration\xe2\x80\x9d is not set on \xe2\x80\x9cForever\xe2\x80\x9d\n                          an intruder has the opportunity to obtain the password because it\n                          allows unlimited guesses. Additionally, we found that password\n                          settings in servers at some locations allowed users to circumvent the\n                          requirement for changing their passwords periodically.\n                          Consequently, the users could continually change their passwords\n                          until their original password could be used again. As a result, NPS\n                          systems may be operating with less stringent controls than expected\n                          by management.\n\nPhysical access to IT     We found that access to data centers was not always adequately\nresources was not         controlled. For example:\nsufficiently controlled\nand monitored.               \xc2\xbe Although the Information Technology Center (ITC) used\n                               access cards and video monitoring as physical access\n                               controls to the data center, individuals who had key cards\n                               and accessed the data center were not always approved for\n                               access. We also noted that there were an excessive number\n                               of personnel with access to the data center, such as\n                               application programmers who were not part of the ITC or the\n                               OCIO. Due to potential blind spots in video monitoring, best\n                               practices suggests that methods be used to monitor personnel\n                               exiting data centers.\n\n\n\n                                               9\n\x0c                         \xc2\xbe At the National Information Systems Center (NISC) data\n                           center, access was through the use of a cipher door lock.\n                           Although there were sign in/sign out logs, only non-NISC\n                           personnel were required to sign the logs. Consequently,\n                           there was no record of NISC personnel activities and specific\n                           NISC personnel could not be held accountable for any\n                           misuse of computer resources.\n\n                      At the park units we found that:\n\n                         \xc2\xbe Access to telecommunications closets was not limited. That\n                           is, they were located in general working areas, such as where\n                           a copy machine was located, a loading/receiving dock, a\n                           break room, and an amphitheater.\n\n                         \xc2\xbe One server room was located in a general work area and was\n                           accessible by personnel other than IT personnel.\n\nEnvironmental         At many park units visited, we noted that the server rooms did not\ncontrols were not     adequately protect personnel and IT equipment. Specifically, some\nadequate to protect   server rooms did not have adequate air conditioning units and proper\npersonnel and IT      fire suppression capabilities. For example, at Bandelier National\nequipment.            Monument:\n\n                         \xc2\xbe The air conditioner in the server room had a water leak.\n                           Although a bucket was placed below the air conditioner to\n                           catch the water, we observed water stains on the floor.\n\n                         \xc2\xbe Access to the server room was from the outside of the\n                           building and the access door was not sealed, thus the room\n                           was susceptible to dust, sand, and rain.\n\n                      The room was too small to house all of the equipment along with\n                      personnel and to provide for proper wire management. See Figure 2.\n\n\n\n\n                                          10\n\x0c           Figure 2. Photographs of the Bandelier National Monument Server Room\n\n                        Although many park units use historical buildings as facilities for\n                        housing local area network server rooms, locating servers in\n                        historical buildings should not preclude NPS from implementing\n                        adequate environmental controls. Some examples of\n                        improvement that would not require changes to the historical\n                        structure or the building of new facilities may include:\n\n                            \xe2\x80\xa2   Installing air conditioning units.\n\n                            \xe2\x80\xa2   Installing rack and shelf systems to better use small spaces.\n\n                            \xe2\x80\xa2   Installing weather seals around doors.\n\n                            \xe2\x80\xa2   Supplying fire extinguishers.\n\nChange management       NPS has an Information System Life Cycle Manual which\ncontrols were not       contains instructions on managing changes to systems. However,\neffective.              NPS did not have adequate controls over changes to computer\n                        hardware, such as computers, servers, and routers; operating\n                        systems; and application software. We found no evidence that\n                        changes made by IT personnel in program centers, regions, and\n                        park units to operating systems and application programs were\n                        authorized, tested, and approved prior to installation. We also\n                        found no evidence that the program centers, regions, and park\n                        units were required to develop test plans for changes and\n                        enhancements to operating systems and application software.\n\n\n\n\n                                           11\n\x0cContinuity of services      NPS has not instituted adequate continuity of services planning.\nplanning needs              Continuity of services planning helps management identify and\nimprovement.                prioritize those daily processes or critical business functions that\n                            need to be restored first after emergencies, such as power\n                            interruptions or system failure. Weaknesses we observed in NPS\xe2\x80\x99\n                            preparation for continuity of services included:\n\n                               \xc2\xbe Inadequate backup practices and offsite storage facilities to\n                                 keep backup media and system and application\n                                 documentation. For example, NPS practices did not\n                                 include full back up of data and systems on any scheduled\n                                 cycle.\n\n                               \xc2\xbe Using employee homes as the off-site storage location for\n                                 application software and network operating system back-\n                                 up media rather than a location that could be easily\n                                 accessed by all required personnel.\n\n                               \xc2\xbe Not storing at an off-site location security documents, such\n                                 as system security plans and continuity of operations plans.\n\n                               \xc2\xbe Not testing those contingency or continuity of operations\n                                 plans that did exist.\n\nIncident response           While some guidance had been issued, NPS had not distributed\ncapability was not fully    specific procedures for incident detection, reporting to FedCIRC,\ndeveloped.                  and responding to incidents. Additionally, we believe NPS\xe2\x80\x99\n                            policy for computer incident response was insufficient because it\n                            did not: (1) include all types of incidents, such as the misuse of\n                            government computers; (2) provide the protocol for\n                            communicating an incident; and (3) specify the procedures for\n                            mitigating an incident. For example, one regional network\n                            manager reported to the NPS wide area network management that\n                            an Internet scan had occurred of the regional network, which was\n                            trafficked through the NPS wide area network firewall. However,\n                            the regional network manager did not receive feedback or a\n                            response from NPS management, thus the regional network\n                            manager had little assurance that the potential incident had been\n                            mitigated. In addition, NPS had not ensured that all individuals\n                            responsible for IT security management were adequately trained\n                            in their incident handling responsibilities.\n\nCapability for detecting,   NPS was not routinely creating, reviewing, and maintaining\nidentifying, and            system logs for network operating systems and routers. System\nreporting IT misuse was     logs are used to detect and identify system misuse or inappropriate\nlimited.                    actions of authorized and unauthorized users. At several locations\n                            the logs were set to overwrite at a very low threshold; thus the\n                            logs were overwritten frequently and historical information was\n\n                                               12\n\x0c                     lost. At some locations we visited, the logs were not created, and\n                     logs that did exist were not being periodically reviewed. NPS had\n                     no policy for creating, reviewing, and maintaining system logs.\n                     Without appropriate logging of system activities, NPS may not be\n                     aware of potential incidents and be able to timely identify\n                     individuals who were misusing IT resources.\n\nStandardized         There was no standard configuration of NPS\xe2\x80\x99 network security\nconfiguration of     infrastructure, such as the use and placement of firewalls and\nnetwork security     intrusion detection systems. At one park, IT security personnel\ninfrastructure was   incorrectly assumed that the NPS wide area network, NPSNet,\nlacking.             was providing security to protect their specific network, systems,\n                     and data. We also found that regions and park units had not\n                     always implemented significant protection for their networks such\n                     as firewalls. At two locations that had implemented firewalls, IT\n                     system administrators detected scanning of their networks from\n                     the Internet, which could be considered a threat that was not\n                     blocked at the NPSNet level. Without a standard security\n                     configuration, NPS was not able to effectively protect its IT\n                     resources and ultimately implement security best practices.\n\n\n\n\n                                       13\n\x0cThis Page Intentionally Left Blank\n\n\n\n\n               14\n\x0cRECOMMENDATIONS FOR IMPROVING NPS\xe2\x80\x99\nINFORMATION SECURITY MANAGEMENT PROGRAM\nWe recommend that the Director, NPS:\n\n                   1. Assign to the CIO the duties and responsibilities as defined by the\n                Secretary and authorize the CIO to issue information security directives to\n                NPS personnel with IT security responsibilities.\n\n                    2. Implement an effective information security program. In\n                establishing this program, NPS should consider:\n\n                   \xc2\x99 Dual reporting of information security management staff:\n\n                       \xe2\x80\xa2   At regions, RITSMs should report to the regional directors and\n                           to the CIO and be authorized to carry out IT security\n                           management responsibilities directly to regional and park IT\n                           staff.\n\n                       \xe2\x80\xa2   At park units, IT personnel should report to the superintendents\n                           and to the regional information security managers.\n\n                   \xc2\x99 Dedicate the BITSM and RITSMs to only security program\n                     management.\n\n                    3. Provide written notification to personnel with IT security\n                responsibilities specifying their duties and functions. Hold individuals\n                accountable for fulfilling these responsibilities through annual\n                performance evaluations. In meeting this requirement, NPS should:\n\n                   \xc2\x99 Identify all individuals/positions such as associate directors,\n                     program managers, regional directors and all staff who are\n                     responsible for managing and administering NPS IT systems,\n                     networks, and data.\n\n                   \xc2\x99 Review position descriptions of all positions identified as having\n                     IT security responsibilities and update the position descriptions to\n                     reflect current duties and responsibilities.\n\n                   \xc2\x99 Update individual performance evaluation plans for those positions\n                     identified as having IT security responsibilities to include\n                     information security management tasks, functions, and strategic\n                     planning.\n\n\n\n                                           15\n\x0c   \xc2\x99 Designate, for each position having IT responsibilities, a\n     sensitivity level commensurate with the risks of the duties\n     performed and ensure the appropriate background checks or re-\n     checks be performed based on the designated sensitivity level.\n\n    4. Separate the duties and responsibilities of IT personnel to ensure\nthat unauthorized activities can be detected timely. To ensure duties and\nresponsibilities are adequately separated NPS should:\n\n   \xc2\x99 Identify personnel at all locations who have IT security\n     management duties and responsibilities and who are also\n     responsible for performing system and network administration\n     duties. If possible, separate these duties or develop alternative\n     processes to provide for separation of duties.\n\n   \xc2\x99 Implement alternative controls, such as, moving some security\n     management responsibilities to different organizational levels if\n     separation of duties at some locations is not cost effective.\n\n   \xc2\x99 Identify personnel at all major data centers who are responsible for\n     programming software applications and for system administration\n     functions and separate these duties or develop alternative processes\n     to provide for separation of duties.\n\n   \xc2\x99 Identify the lack of separation of duties in the security plans and\n     require management to formally accept the risk associated with the\n     lack of separation of duties if alternative controls are not feasible.\n\n     5. Modify all IT support contracts to require position sensitivity for\nall IT positions and require appropriate background investigations and\nsecurity clearances for all contractor personnel performing IT functions.\n\n    6. Establish an IT career-training program for all NPS IT\nprofessionals. The training program should be based on NPS\xe2\x80\x99\nimplemented and planned systems, networks, and software. NPS should\nperiodically review the training program to ensure that IT professionals\nare provided training on the most current security requirements and the\nmost up-to-date technology implemented or planned by NPS.\n\n   7. Perform asset valuations for all general support systems and\napplications to properly categorize these systems based on their\nimportance and critical loss criteria in accordance with the Department\xe2\x80\x99s\n\xe2\x80\x9cAsset Valuation Guide.\xe2\x80\x9d\n\n   8. Perform risk assessments of all general support systems and major\napplications to identify risk, threats, and vulnerabilities that impact the\naccomplishment of the NPS\xe2\x80\x99 and the Department\xe2\x80\x99s missions and the\n\n\n                            16\n\x0csecurity and data integrity, confidentiality, and availability. NPS should\nalso ensure that risk assessments include input from senior management\nand data owners.\n\n   9. Develop security plans for all general support systems and major\napplications following NIST and Departmental guidelines.\n\n  10. Establish procedures to ensure that the POA&Ms are used as a\nmanagement tool. The procedures should include:\n\n   \xc2\x99 Requirements for reporting all the weaknesses identified and\n     reported by OIG, NPS, and other reviews performed on behalf of\n     NPS.\n\n   \xc2\x99 A prioritized strategy to correct all identified security problems.\n\n   \xc2\x99 Assurance that the completion dates are supported by the\n     applicable documentation.\n\n   \xc2\x99 Requirements for corrective actions that exceed 6 months to have\n     incremental steps to correct the weaknesses, milestone dates, and\n     resources required.\n\n   \xc2\x99 Integration of resources identified in the POA&Ms for correcting\n     weaknesses with the capital investment planning and control\n     process.\n\n   11. Establish a standardized process for system user accounts that\nincludes:\n\n   \xc2\x99 Coordinating with Human Resources, system owners, and\n     supervisors to identify and report to the IT system security\n     administration staff the names of employees who are no longer\n     employed by NPS, have a change in responsibilities and duties, or\n     have transferred from NPS locations. Upon notification, IT system\n     security administration staff should disable user accounts or\n     immediately terminate access from all applicable systems,\n     applications, and data centers.\n\n   \xc2\x99 Establishing a policy requiring each user of NPS systems to have\n     unique user identifications. The policy should specifically state\n     when a single user could have multiple identifications and describe\n     the controls to ensure the use of multiple identification does not\n     circumvent separation of duties.\n\n   \xc2\x99 Developing procedures requiring system owners or supervisors to\n     periodically review and validate users\xe2\x80\x99 access and privileges.\n\n\n\n                           17\n\x0c   12. Establish standard password configuration settings to ensure that\nall IT system resources are protected at an acceptable level.\n\n   13. Establish policies, procedures, and practices to ensure that physical\nand environmental controls protect systems and data from misuse or\ninterruption, and physical damage or destruction and that personnel have a\nsafe working environment. In developing these policies, procedures, and\npractices NPS should:\n\n   \xc2\x99 Evaluate the facilities that house the data centers, server rooms,\n     and telecommunications closets to determine if the access controls\n     and environmental controls are effective. If the controls are not\n     effective, identify cost effective remediation controls and report\n     the status in NPS\xe2\x80\x99 POA&Ms.\n\n   \xc2\x99 Review the current lists of personnel with access to the all data\n     centers and determine if the access granted is necessary and revoke\n     access that is not required.\n\n   \xc2\x99 Require the use of sign in/sign out logs or other entrance/exit\n     technologies at data centers and compare physical access logs to\n     computer logs.\n\n   14. Establish standard change management procedures to ensure that\nall changes are authorized, tested, and approved prior to updating\noperating systems and applications. To aid in standardizing its change\nmanagement process, NPS should consider the use of change management\nsoftware to assist in the control over modifications made to operating\nsystems and applications.\n\n   15. Establish policies and procedures to ensure that all NPS systems\nand applications can be restored or recovered timely in the event of system\nfailures or disasters. These policies and procedures should:\n\n   \xc2\x99 Define the appropriate backup and recovery requirements of IT\n     services that clearly define personnel roles and responsibilities and\n     standard types of back-ups and timeframes for backing up systems\n     and data.\n\n   \xc2\x99 Define appropriate offsite storage locations and ensure that backup\n     data and system documentation are stored in these offsite storage\n     locations.\n\n   \xc2\x99 Develop continuity of operations plans for all NPS locations and\n     ensure that the plans are tested and updated annually.\n\n\n\n\n                           18\n\x0c   16. Establish an incident handling organizational structure and a\nprocess for identifying, reporting, and mitigating computer-related\nincidents.\n\n   17. Establish policies and procedures to ensure that systems are\nlogging relevant information, logs are maintained for an appropriate\nperiod of time to provide an adequate audit trail of systems activities, and\nthe logs are reviewed periodically to identify inappropriate activities.\n\n   18. Establish standard network security infrastructure based on a\nlayered security approach that includes firewalls and intrusion detection\nsystems throughout the NPS internal networks. To accomplish this layered\nsecurity approach, NPS should:\n\n   \xc2\x99 Require networks topologies be developed for all offices, program\n     centers, regions, and park units to determine the appropriate\n     security infrastructure solution that complies with best practices.\n\n   \xc2\x99 Create standard firewall rules that prevent unauthorized access\n     from the Internet into the park unit networks.\n\n\n\n\n                            19\n\x0cThis Page Intentionally Left Blank\n\n\n\n\n               20\n\x0cAGENCY RESPONSE AND\nOFFICE OF INSPECTOR GENERAL REPLY\n         In the February 6, 2004 response to the draft report (Appendix 3) the\n         NPS Director concurred with the 18 recommendations. The response\n         described recent NPS IT security accomplishments, and commented on\n         the findings and recommendations. Also, the NPS CIO provided\n         subsequent information about the report and the response. We revised\n         the report as we considered appropriate based on the NPS response and\n         additional information provided.\n\n         Based upon NPS\xe2\x80\x99 replies, we classified Recommendations 7 and 8 as\n         resolved; Recommendations 12 and 13 as resolved but not implemented;\n         Recommendations 1, 2, 3, 4, 5, 6, 10, 11, 14, and 16 as management\n         concurs but additional information required; and Recommendations 9,\n         15, 17, and 18 as unresolved. (See Appendix 4.) Even though NPS\n         agreed with all the recommendations, we considered four of the\n         recommendations as unresolved because the proposed actions did not\n         meet the intent of the recommendations, as discussed below.\n\n         Recommendation 9. Although NPS completed all \xe2\x80\x9cinitial\xe2\x80\x9d system\n         security plans in December 2003, our recommendation was to develop\n         system security plans for all general support systems following NIST\n         Special Publication 800-18 and Departmental guidelines. While\n         Departmental guidelines include the development of \xe2\x80\x9cinitial\xe2\x80\x9d system\n         security plans, these initial plans are not a finalized system security plan.\n         That is, they do not include information from risk assessments and\n         system testing and evaluations. As such, they do not adequately address\n         the controls necessary to reduce risk to an acceptable level. Further, NPS\n         disagreed that system security plans were needed for each park unit\xe2\x80\x99s and\n         regional office\xe2\x80\x99s local area networks even though these networks are\n         under the management control of the respective parks and regions.\n         According to Office of Management and Budget Circular A-130,\n         Appendix III, these networks are general support systems requiring\n         system security plans. Furthermore, without system security plans for\n         each of these local area networks, NPS has little assurance that these\n         networks are operating securely and that the NPS-wide network is\n         adequately safeguarded. NPS should prepare a plan for developing\n         system security plans for all general support systems and major\n         applications and for incorporating park units and regional office local\n         area networks into its one general support system.\n\n         Recommendation 15. NPS stated that a continuity of operations plan\n         would be completed by its IT Infrastructure team by 2005. Our\n\n\n                                   21\n\x0cunderstanding is that NPS is developing one continuity of operations plan\nfor its one general support system. If that is the case, we do not believe\nthat NPS will have sufficient procedures to ensure that major applications\nare restored timely and those NPS locations that input, process, transport,\nand store information will be able to recover from system failures or\ndisasters expeditiously. NPS should develop policies and procedures\nensuring that NPS information, systems, and applications can be restored\nor recovered timely; that backup and recovery is practiced by all levels of\nNPS management; that offsite facilities are adequate; and that continuity\nof operations plans are tested and updated annually.\n\nRecommendation 17. NPS is requesting funding for acquiring software\nto manage system events. Our recommendation, however, dealt with\npreparing policies and procedures to make sure relevant information\nabout system events was logged and reviewed. As logging capability\ncurrently exists within most NPS systems, the intent of our\nrecommendation was for NPS to consider acquiring a software tool that\nwould take advantage of existing logging capability and for NPS to\nperiodically review logs to identify inappropriate activities.\n\nRecommendation 18. The response focused on the conversion of the\nNPS core networks to the Department\xe2\x80\x99s Enterprise Services Network.\nHowever, the recommendation was for NPS to develop a layered\napproach to security to include safeguarding all internal networks, such\nas the networks operated and maintained at regions and park units.\n\n\n\n\n                          22\n\x0cAUDIT OBJECTIVE, SCOPE, AND METHODOLOGY\n        Our objective was to evaluate the effectiveness of NPS\xe2\x80\x99 management and\n        controls over IT resources to ensure integrity, confidentiality, and\n        availability of information and IT systems. Specifically, we evaluated\n        information security management practices and general controls over non-\n        financial IT systems (see Appendix 1 for the systems reviewed).\n\n        To evaluate these controls, we reviewed NPS policies, procedures, and\n        practices in place during April through August 2003, tested and observed\n        security practices and IT security control techniques in operation, and held\n        discussions with NPS staff to determine whether IT security controls were\n        in place, adequately designed, and operating effectively. We performed\n        on-site work at NPS headquarters in Washington, D.C. and other NPS\n        locations listed in Appendix 1.\n\n        Our audit was conducted in accordance with the \xe2\x80\x9cGovernment Auditing\n        Standards\xe2\x80\x9d as issued by the Comptroller General of the United States.\n        Accordingly, we included tests and other auditing procedures that were\n        considered necessary under the circumstances.\n\n\n\n\n                                   23\n\x0cThis Page Intentionally Left Blank\n\n\n\n\n               24\n\x0c                                                                                        APPENDIX 1\n\n\n\n                   SITES VISITED AND SYSTEMS REVIEWED\n\n    Office of the Chief Information Officer\n       Network Management Office (NMO)                          Denver, Colorado\n       NPS wide area network (WAN)/(NPSNet)\n\n       National Information Systems Center (NISC)               Denver, Colorado\n       Denver General Support System (GSS)/local\n       area network (LAN)\n\n       Information Technology Center (ITC)                      Washington, D.C.\n       ITC LAN\n\n    Natural Resources Program\n\n       Natural Resources Program Center (NRPC)                  Ft. Collins, Colorado and\n       NRPC GSS/LAN                                             Denver, Colorado\n\n    Intermountain Region (IMR)5\n       Santa Fe Support Office                                  Santa Fe, New Mexico\n       IMR GSS/WAN\n\n       Rocky Mountain National Park                             Estes Park, Colorado\n       Rocky Mountain LAN\n\n       Bandelier National Monument                              Los Alamos, New Mexico\n       Bandelier LAN\n\n    Pacific West Region (PWR)\n       Regional Office and Pacific Great Basin                  Oakland, California\n       Support Office\n       PWR GSS/WAN\n\n       Golden Gate National Recreation Area                     San Francisco, California\n       Golden Gate LAN\n\n       Point Reyes National Seashore                            Point Reyes, California\n       Point Reyes LAN\n\n\n\n\n5\n The Intermountain Regional Office headquarters is located in Denver, Colorado and is supported by the\nNational Information Systems Center. The Santa Fe Support Office provides support for regional and\nsupport personnel located in Santa Fe, New Mexico and for all the parks in the region.\n\n                                                  25\n\x0cThis Page Intentionally Left Blank\n\n\n\n\n               26\n\x0c                                                                                                                 APPENDIX 2\n\n\n                                   SUGGESTED MATRIX OF\n                             POSITION SENSITIVITY DESIGNATIONS\n                              FOR A GENERAL SUPPORT SYSTEM\n                      (The minimum level of investigation associated with Public Trust Positions)\n\n                                                   Designation\n                                                  Investigation\n         Role              Position               Requirement6                                   Justification\nProgram Manager      Deputy Director            High Risk \xe2\x80\x93 BI         Senior manager for system. As program manager who has ultimate\n                                                                       management authority for systems.\n\nInformation Owner    Program Managers,          Moderate Risk \xe2\x80\x93 MBI    Senior manager for data contained in the system for their\n                     Regional Directors,                               individual program, region, or park unit. System security and\n                     Park Unit                                         back-up procedures, minimize the opportunity for a regional\n                     Superintendents                                   director, superintendent or program manager to do major harm to\n                                                                       the system. Oversight provided by headquarters.\n\nInformation System   CIO                        Moderate Risk \xe2\x80\x93 MBI    Minimal system access. Provides policy oversight for data\nOwner                                                                  management.\nSecurity Manager     BITSM/RITSM                High Risk \xe2\x80\x93 BI         Responsible for system integrity, confidentiality, and availability.\n                                                                       Prepares bureau policy for system security.\n\nSystem Manager       Deputy CIO                 High Risk \xe2\x80\x93 BI         Provides technical oversight to all system operations and\n                                                                       administration from a headquarters level. Provides policy and\n                                                                       guidance for regional and field operations.\nSystem7 Security     Multiple employees         Moderate Risk \xe2\x80\x93 MBI    Responsible for system security design, testing, and maintenance\nManager              located in                                        under the technical guidance of the OCIO.\n                     headquarters, offices,\n                     program centers,\n                     regions, and park units.\nSystem2              Multiple employees         Moderate Risk \xe2\x80\x93 MBI    Responsible for system operation and maintenance at headquarters,\nAdministrator        located in                                        offices, program centers, regions, or park units. Work is under the\n                     headquarters, offices,                            technical oversight of Regional Directors or Associate Directors.\n                     program centers,\n                     regions, and park units.\nInternal NPS         Office, program            Low risk \xe2\x80\x93 NACI        Responsible for data entry and update. Access to the system is\nUsers2               center, regional, and                             limited to the functions performed and registration is required and\n                     park unit employees                               managed by the system security managers or system\n                                                                       administrators.\n\n\n     This matrix was developed by the Office of Inspector General for use by the National\n     Park Service as a guide to develop position sensitivity designations consistently for its\n     personnel with IT responsibilities. The matrix was based on a U.S. Geological Survey\n     review of roles and positions identified with IT responsibilities for one of its major\n     applications. For each role and position, a level of risk/sensitivity and the related type of\n     background investigation was defined along with the justification for the sensitivity level\n     and type of background investigation.\n\n\n\n\n     6\n      BI \xe2\x80\x93 Background Investigation; MBI \xe2\x80\x93 Minimum Background Investigation; NACI \xe2\x80\x93 National Agency\n     Checks and Inquiries.\n     7\n      The duties and background investigation requirements are applicable to federal employees, contractor\n     employees, and volunteers.\n\n                                                                  27\n\x0cThis Page Intentionally Left Blank\n\n\n\n\n               28\n\x0c     APPENDIX 3\n\n\n\n\n29\n\x0c30\n\x0c31\n\x0cThis Page Intentionally Left Blank\n\n\n\n\n               32\n\x0c                                                                                 APPENDIX 4\n\n\n               STATUS OF AUDIT REPORT RECOMMENDATIONS\n\n RECOMMENDATION\n    REFERENCE                   STATUS                      ACTION REQUIRED\n\n7 and 8                   Resolved               No further response is required.\n\n12 and 13                 Resolved, not          No further response to the Office of\n                          implemented            Inspector General is required. The\n                                                 recommendations will be forwarded to\n                                                 the Assistant Secretary for Policy,\n                                                 Management and Budget for tracking of\n                                                 implementation.\n\n2, 3, 4, 6, 10, 11, and   Management             Provide the title of the official\n16                        concurs, additional    responsible for implementation.\n                          information\n                          required.\n\n1, 5, and 14              Management             Determine how the recommendation will\n                          concurs, additional    be implemented and provide plans\n                          information            describing implementing actions, target\n                          required.              dates, and responsible officials\n\n9, 15, 17, and 18         Unresolved.            Reconsider the proposed corrective\n                                                 actions and provide an updated reply.\n\n\n\n\n                                                33\n\x0cThis Page Intentionally Left Blank\n\n\n\n\n               34\n\x0c'